1. Field of the Invention
The present invention generally relates to a method and system for preserving a user's privacy in a public network, and more particularly to a method and system for preserving a user's privacy in an 802.11 network (e.g., a so-called “WiFi Network”).
2. Description of the Related Art
Over the last few years, there has been a tremendous growth of wireless LANs from availability in university and technology companies to widespread availability in other enterprises and in public places such as trains, busses, airports, coffee shops, fast-food restaurants, etc.
Recently, commercial airlines have begun offering this technology on certain trans-Atlantic flights. It can be argued that high speed wireless LANs are one of the most significant developments in mobile computing in recent times. Indeed, the relatively low cost of 802.11 hardware has made it attractive for people to deploy a wireless network even in their homes, especially if they have a broadband connection to the Internet.
Some companies, such as Boingo™, Wayport™, Tmobile™, Cometa™, etc., offer various plans for nationwide (USA) 802.11 (e.g., the wireless protocol known as “WiFi”) wireless access through “hotspots” distributed across the country. Typical plans include one hour, one-day, ten-day, unlimited for a month, and other forms of metered access. Current service costs also appear to be affordable. Recent laptop computers offer built-in 802.11 interfaces. Handheld computers may soon follow with built-in 802.11 interfaces as well.
Overall, WiFi networks have changed the way business professionals work. Just as the cellular (e.g., mobile) telephone helped liberate people from the land line, WiFi access is helping liberate people from wired networks. People are less tied to their desks. Instead of having to carry network cables and finding seats next to network jacks in meeting rooms, people can sit anywhere they like. Business travelers may synchronize their e-mail or download information from their corporate intranet during lunch at a restaurant. WiFi networks at airports and inside planes are likely to help travelers stay in touch and get more work done during their travel.
However, the above benefits and flexibility of ubiquitous and affordable wireless access in public spaces also raise certain issues, including privacy and security. That is, who else in the public space can see the data that is being sent to the user? Also, can the service provider constantly track your physical location? Can the service provider build a profile of the web sites a user visit? How much of a user's privacy does one need to give up in order to benefit from these services?
The initial security mechanism for 802.11 networks, called WEP, turned out to have serious problems (e.g., see Borisov, N., Goldberg, I., David Wagner, D.: Intercepting mobile communications: The insecurity of 802.11. In Proceedings of MOBICOM 2001, (2001) 180–189) rendering it largely ineffective as a security mechanism. Vendors have developed several proprietary mechanisms to mitigate the security loopholes of WEP (e.g., see Convery, S., Miller, D., Sundaralingam, S: Cisco SAFE: Wireless LAN Security in Depth http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm). Security initiatives such as 802.1X (e.g., see, A., Arbaugh, W.A.; “An Initial Security Analysis of the IEEE 802.1X Standard, Dept of Computer Science, Univ. of Maryland at College Park, CS-TR-4328, (February 2002)) are currently underway in the standards bodies (e.g., see Mishra4. IEEE 802.11 Wireless LAN Standards. IEEE 802.11 Working Group (http://grouper.ieee.org/groups/802/11/).
While security is a closely related topic, an important issue is privacy of the users of public WiFi networks.
Specifically, the protection of location privacy, namely safeguards that enable users of WiFi networks to avoid revealing their current location as they move among different wireless hotspots, would be important and would enable the further development and utility of WiFi networks.
When the portable computer belonging to a user connects to a WiFi network, the network operator can tell which access point the user is associated with. With adequate information about the location of the access points, the user can be located to within a few meters. For instance, it may possible to pinpoint the location of a user to a particular floor of a hotel, or a particular section of an airport terminal. It may also be possible to know that an individual is currently enroute on a particular flight from London to New York.
WiFi networks carry the potential for revealing much more precise location, compared to other widely-deployed technologies such as cell phones or pagers (e.g., see Wireless Location Privacy, http://www.cdt.org/privacy/issues/location/ http://www.cdt.org/privacy/issues/location/).
WiFi networks operate with much smaller “cell” sizes because they are required to operate at lower power levels and in environments that have poor signal propagation and interference properties. Small cell sizes help maintain signal quality and higher communication bandwidth.
With the increasing popularity of WiFi networks, comes an increasing user population that is likely to have little or no technical background. These users are unlikely to understand how wireless communication works. It is also improbable that they will understand how their privacy can be compromised. They are even less likely to understand and follow security protocols to help improve their privacy. Price and ease of use are generally the overriding factors that determine success of a mass-market offering targeted to such users. It is imperative that privacy protection be made possible without an increase in price, or additional explicit actions by the user.
Their lack of knowledge not withstanding, users still have several tacit expectations of the technology. Technologists should deliver (e.g., see Cranor, L. F.: The Role of Privacy Enhancing Technologies, In Considering Consumer Privacy: A Resource for Policymakers and Practitioners, Center for Democracy and Technology, March 2003, pp. 80–83) on these expectations even though the users may not be able to express their expectations in terms technologists use (e.g., see Langheinrich, M., Privacy by design: Principles of Privacy-aware Ubiquitous Systems, In Proceedings of Ubicomp (2001) 273–291). Delivering on these expectations is a fundamental requirement for achieving the vision of truly ubiquitous computing (e.g., see Weiser, M.; The Computer for the 21st Century, Scientific American 1991, 265(3), 94–104).
Safeguarding privacy is like transporting water using a bucket that is riddled with holes. Newer technologies, and their usage modes, tend to create more holes in the bucket. While one may not be able to plug all the holes in the bucket, it is still worthwhile to examine each hole individually and to devise means to plug that particular hole. Existence of a hole elsewhere in the bucket is not a justification for creating a new hole, or to avoid plugging one that can be plugged.
Prior to the present invention, there has been no simple and practical solution to the leaking of fine-grain location information as mobile users take advantage of pervasive wireless Internet access services. Moreover, there has been no practical solution which has been simple and easy for non-technical users to adopt and believe. Further, there has been no cost-effective and attractive enough solution so that service providers find it better than alternatives that lack privacy properties.
A simple approach to providing WiFi access involves a subscriber establishing an account with a service provider. To establish the account, the subscriber will typically provide her name, address, and a credit card number. In addition, the service provider may collect other personal information such as phone numbers, and an e-mail address. The subscriber will establish a login id and password as part of the service set up.
Subsequently, the subscriber will sign on using the login id and password to obtain WiFi access. The service provider will use the login id to measure the subscriber's usage and bill the subscriber for the service. The service provider may also have roaming agreements with several other providers to enable subscribers to obtain WiFi service at various locations.
The service provider will prepare a service agreement which states what information they gather about subscribers, how long they retain the information, how they use the information, and who they share that information with. The service agreement will typically run to several pages of legal language that most subscribers will not fully comprehend, or even bother to read. Nevertheless, the service provider insists that the subscriber sign a statement accepting their terms. Most subscribers will assume that the agreement is benign, and sign it without fully understanding the implications. The subscriber's signature gives the service provider a license to use the information gathered about the subscriber.
Most subscribers will generally be unaware of the amounts of information that the service provider can potentially obtain and link with them. The individual pieces of information may just be minor privacy leaks. However, when someone can build a bigger picture by correlating different bits of information and associating all of these bits of information with a particular subscriber, the privacy invasion becomes much more worrisome. If the details of the correlated information gathered about a subscriber, is subsequently revealed to her, the reaction will generally be one of shock and disbelief. For instance the service provider may be able to tell which cities a subscriber visited. Depending on the extent of WiFi coverage, the service provider may have knowledge of which restaurants or other public places the subscriber visited and at what times. The service provider may also know which web sites the subscriber normally visits and what kinds of information she reads.
Kotz and Essien (e.g., see Kotz, D., and Essien, K.; “Analysis of a Campus-Wide Wireless Network”, Proc. of the 8th Annual Intl. Conf. on Mobile Computing and Networking, ACM Press, (2002), 107–118) have shown that it is possible to collect several pieces of information about WiFi users and also correlate pieces of information that are gathered at different geographic locations at different points in time. They collected data at a university WiFi network, using simple low cost instrumentation. The analysis and correlation were also done using relatively inexpensive hardware. Even so, a detailed and rich picture was built of the users of the WiFi network. A service provider with a profit motive and access to additional resources, could be easily tempted to collect, correlate, and hoard much more information.
Once such information is available, it may be used in ways that may surprise most subscribers. An employee of the service provider might notice that the mobile computers belonging to top executives of company A are frequently seen at the same hotspots as the mobile computers of the top executives of company B. This might lead the employee to speculate on an impending deal between the companies even if all the communication between the two companies was both oral and private. A business may want to buy the e-mail addresses of people who travel on a particular route and send them targeted e-mail solicitations.
It is noted that the security mechanisms that are being proposed to replace WEP will do not prevent the service provider from gathering and using information. While 802.11 security schemes may prevent malicious bystanders from snooping the subscriber's Internet traffic or modifying the traffic in nasty ways, it is unlikely that the proposed security schemes will impose any form of deterrent on the service provider from obtaining and logging information about a subscriber.
Many subscribers will typically establish an IPSec/NVPN connection to the intranet at their place of employment because of corporate requirements. The VPN tunnels hide Intranet traffic from the service provider and everyone else.
However, any traffic to Internet sites are typically sent directly, and can be observed by the service provider unless protected by SSL. More importantly, establishment of a VPN does not prevent the leak of location information to the service provider.
Safeguarding personal privacy is a fundamentally difficult problem because businesses inherently seek more information about people they serve. In general, the more information a business has about its customers, the better its chances of catering to the needs of its customers, and better its chances of improving profits. All things being equal, a business that has more information is likely to outperform its competition. Any privacy mechanism designed to safeguard user privacy must fight this fundamental proclivity of businesses seeking more information about their customers.
Businesses sometimes cannot function without obtaining certain pieces of personal information about its customers. For instance, laws require some businesses to obtain private information about their customers. U.S. financial institutions are required to obtain social security numbers in order to report income to the government.
Ignorance of the ways in which private information is collected and used enables businesses to develop technologies and business models that continue to punch holes in the privacy bucket. Businesses often develop innovative and useful services that leverage such information. Once such a service has been deployed, it may be hard to justify technologies that plug the privacy leak which enabled the service. It may also be difficult to lobby for laws that plug the leak because privacy advocates would be pitted against customers and businesses who benefit from the service.
Ignorance and apathy among users, helps businesses avoid compensating the users for the usage of information. As businesses exploit some private information successfully, they are encouraged to collect even more. Effectively, a vicious cycle gets established, resulting in a continuous and progressive erosion of privacy.
Sometimes users are offered a benefit for giving up some private information, and sometimes the information is stolen from them without their knowledge. At other times, giving up information is made a precondition to obtaining a service. For instance, many U.S.-based mobile phone companies collect customer social security numbers to run credit checks.
Given the motivating factors described above, safeguarding privacy seems difficult. However, there are a several factors working in favor of maintaining privacy. Some factors that prevent businesses from gathering and using more information than they rightfully require, include laws that place limits on the businesses, the cost of acquiring, retaining and processing huge volumes of information, the tendency of businesses to protect information they hold, the bad publicity that might arise if customers were to learn about the information that is being gathered about them, and how the information was being used, and competitive pressures.
Laws: Fundamentally businesses exist to generate revenues and profits. However, they must obey the laws that govern their behavior. Nations often pass laws that intend to safeguard user privacy. However, a majority of the people are unaware that their privacy is being violated. As a result, law makers seldom hear requests or demands for stringent privacy protection laws. As technologists we help people become more aware of privacy issues (e.g., see Nguyen, David H., and Elizabeth D. Mynatt. Privacy Mirrors: Understanding and Shaping Socio-technical Ubiquitous Computing Systems. Georgia Institute of Technology Technical Report GIT-GVU-02-16. June 2002) are public is likely to pressure their law makers to make laws that protect privacy. An aware public will also pressure lawmakers into avoiding laws that mandate the collection of excessive amounts of data.
One recent example is Health Insurance Portability and Accounting Act (HIPAA) (e.g., see Health Insurance Reform: Security Standards Final Rule, Federal Register Vol 68, No 34., http://aspe.hhs.gov/admnsimp/FINAL/FR03-8334.pdf), where the U.S. federal governing body has specified the privacy requirements for medical records in great detail. The European Union has also passed several laws aimed at protecting privacy.
Data Acquisition and Management Costs: In several cases, the high cost of acquiring and managing the data works in favor of privacy. If businesses cannot perceive a near term return on their investment in data gathering and management costs, then it is unlikely that they will bother.
For instance, due to the recent regulations, cell phone providers are required to deploy technologies capable of precisely locating subscribers who call to report an emergency situation.
However, there is usually a significant cost involved in obtaining precise location. This high cost generally prevents cell phone providers from tracking all of their subscribers at the same level of precision at all times. Nevertheless, better technologies are rapidly reducing the cost of collecting, managing and correlating information. As costs reduce, the return-on-investment equation becomes easier to satisfy.
Information hoarding: One business may acquire some information about a particular user and another business may acquire some other information about the same user. If the two businesses were able to share and cross-correlate their databases, then they may be able to build a user profile that is much more complete. However, businesses tend to be protective of the data they control and tend not to share. Nevertheless, mergers and acquisitions amongst businesses can eliminate such barriers (e.g. In 1999 online advertising company DoubleClick merged with an off-line consumer database Abacus Direct (e.g., see Privacy Groups See Danger in Merger, New York Times, Jun. 22, 1999. Section C, Page 6). The merged organization intent to correlate their databases was the subject of several complaints and lawsuits.)Brand Image: Businesses place a high value on their image in the public view and are wary of publicity that can impact this image negatively. A business that receives public attention as a result of their privacy violations (or even potential privacy violations) often suffers a significant blow to their brand image. There are several well-known examples such as the recent release of many credit card numbers, unique serial numbers on CPU chips (e.g., see Intel Pentium® III Processor Serial Number, http://www.cdt.org/privacy/issues/pentium3/), etc. As a result, publicity concerning the misuse or leakage of private information, is a powerful deterrent aiding privacy protection.Competition: Another powerful factor motivating businesses to honor privacy is marketplace competition. If one business develops a technology and business model that can offer better privacy protection to its customers, then its competitors may be pressured into adopting similar models. If a business can advertise its privacy advantages in the popular media, then its competition will be under greater pressure. Effectively competition can build a virtuous cycle that encourages businesses to outdo each other on the privacy front.
It is noted that for privacy to be a selling point, the technology must be simple and obvious enough that a short 30 second TV commercial or a half page of printed advertising can explain the advantages to the customer. The privacy advantages of the solution should be self-evident to most non-technical customers. Privacy enhancing mechanisms must be easily adopted by non-technical users. Solutions that meet these requirements are candidates capable of creating virtuous cycles.
Solutions capable of creating virtuous cycles may already exist. Lack of awareness may be the only issue preventing the cycle from taking hold. A virtuous cycle leading to the eventual demise of caller-id, can be initiated by one phone company offering caller-id blocking as the default and free option, actively advertising the privacy benefits of their service, and successfully stealing customers from their competitors.
Thus, prior to the present invention, there has been no mechanism which has improved awareness of privacy issues, and secondly there has been no method or system for developing privacy enhancing solutions that are simple to understand and easy to deploy.